Reading into "Operation Satyagraha", one would have to believe give all the resources used that the investigators had some reason to believe there was data to decrypt, even though in theory and in practice TrueCrypt volumes should offer a "deniable file system".

What are possible sources of TrueCrypt data leaks that might betray the "Deniable File System" option, and what are counter-measures to defeat them?

5 Answers
5

The article doesn't mention how did the investigators find the presence of truecrypt volume (that could be easily your answer then :) )

One of a couple of ways you can use Truecrypt is by making containers which basically is an encrypted volume, saved as a fixed size file on your disk.
While there are ways to try to detect a truecrypt volume (entropy analysis etc.), I haven't heard of one that can authoritatively detect the volume.

There can be other indications on the drive that could point towards presence of encrypted volume. Trivial examples could be:

Presence of a file (with a .mpg extension?) which doesn't really belong to any known data format

The aforementioned file being of exactly 1GB !! (or of a fixed size equaling to a whole number of MBs, KBs)

Recently opened entries in various softwares/logs indicating paths like P:\video.mpg (or /mnt/t/video.mpg in *nix) where no such fileshare/mount exists at the time of investigating. Or browser logs/cache of pages opened form that Truecrypt mount.

Programs doing auto-saves - saving your data in non encrypted disk cache while you are viewing/editing a file from encrypted volume which is currently mounted.

None of the above conclusively say the presence of a encrypted drive (not even when considered collectively), but they can consolidate your belief if you have reasons to believe that there is any encrypted volume.

Encrypted data (be it truecrypt or any other software) will always look weird: text documents, etc, will have some regular or normal look. Files that contain pictures, music, compressed data, etc, will have a header that will be usefull to identify it. Even programs (.exe files) will have a specific structure.

Encrypted data will look as random data that doesn't resamble any other data format. If you are looking for something inside a suspicious computer, and find a large file (or partition, or a whole volume) that looks totally random, well... it's not a regular file and you'll analyse it, and you'll bet it is encrypted.

So, how to hide a big file that looks diferent from a regular file?

To hide a truecrypt container (or any other program), pretending it's a regular archive: it would be a kind of steganography, and steg. needs a file that's much bigger than the data being hidden. So, for pratical purposes, impraticable.

Another way to hide random data is to make everything else (or almost) also random. So, one would "save" random data in all empty space in the hard drive, even if that's not the content of anything else. But it would make clear that you're trying to hide something.

The only real alternative: don't let anyone get your HDD, so he can't imagine if you have some suspicious file inside it.

What are possible sources of TrueCrypt data leaks that might betray the "Deniable File System" option, and what are counter-measures to defeat them?

TrueCrypt itself is pretty good at NOT remembering anything you do. So the leaks are mostly the result of your own doings.

There is one problem that TrueCrypt cannot solve, however.

Assuming you have an encrypted partition. It is filled with random data. Now think of this situation where you have a pre-image and post-image of the work (such as editing a file) you've done to the same partition. The differential analysis could tell the investigators that you do indeed have something in such partition. Worse, it even pinpoints the investigators to some specific segments on disk. There goes denial.